Is Microsoft forgetting what it knows about security process?

Is Microsoft forgetting what it knows about security process?

Summary: With the fight over who can put a browser on Windows RT still simmering away and with Windows RT tablets only a month off, now is not the time for Microsoft to make careless mistakes with Windows 8.


It's been an interesting week for foot-in-mouth in the tech industry, starting with Nokia suffering from the difference between TV ads and internet promotion.

With TV ads, simulated footage of what phones deliver is perfectly common, with a label so small I expect most viewers never spot it. But with internet promotion, simulated footage is automatically assumed to be an attempt at deception.

Microsoft is making a huge bet. This is the moment when the PC can either go on to be a telling part of our computing future or a technology whose time is within perhaps five years of ending

It's a shame the hugely impressive image stabilisation in the Lumia 920 Windows Phone 8 handset wasn't clearly labelled in the ad as a simulation of the difference in quality you'll get — especially when Nokia's real footage is just as impressive.

Then there's Microsoft apparently deciding not to update the version of Flash that's built into IE 10 in Windows 8 until October even though Adobe has put out a fix for Flash in all other browsers.

That decision puts Microsoft in the absurd position of having IE 9 and even Chrome users better protected against Flash attacks. The only reason for Microsoft to take over the role of distributing Flash in IE from Adobe is to give users better protection, not worse.

Ed Bott provides details of how to turn on ActiveX Filtering in IE 10, which will let you enable Flash and any other ActiveX only on the sites where you want to use it. That feature is good for performance as well as security and probably a good idea anyway. But it's not how you should have to handle Flash security in this day and age.

Process to ensure security is a priority

It's also a huge surprise. Security is a major focus for Windows 8, which has excelled in its other security improvements, and Microsoft usually has a process to ensure security is a priority. I'm assuming sanity will prevail and IT admins and BizSpark members and volume licensing subscribers evaluating Windows 8 won't continue to be vulnerable to known Flash vulnerabilities until GA in October.

But whatever decision, mistake or misunderstanding might turn out to be the explanation for this move, it's worrying for what it says about security process — which is something Microsoft has done pretty much right ever since Bill Gates hit the reset button on development after Blaster and retrained the entire company to think secure.

The Security Design Lifecycle Microsoft uses is recognised as a gold standard for software development. It's taken Windows from notoriously insecure to probably the most secure mainstream OS on the market in Windows 8. Security experts picking over the protections at the Black Hat hacker conference this year suggested that attackers would have to turn to vulnerable applications such as, say, Flash, instead of cracking the OS itself.

There's also a process for keeping it that way. To avoid new issues or regular patches distracting the core Windows team while they're hard at work on the next version of Windows — in this case, whatever Windows 9 turns out to be — once Windows hits RTM, the code is handed over to the Sustained Engineering (SE) team who deal with hotfixes, security patches and updates.

SE has patched pretty much every version of Windows between RTM and general availability, so it can't be fear of bad publicity. Besides, it would be Flash getting the bad publicity, not Windows. Frankly, I'm at a loss as to why the process wasn't ready to cover this eventuality.

I had another "I really can't believe they did that" moment recently, when it turned out that the build process for Windows 7 with Service Pack 1 had unaccountably omitted to include the browser ballot screen.

Including the browser ballot screen hadn't been necessary when SP1 was an update you applied to a system that already had Windows 7 because you'd already seen the ballot. But when it turned into a standalone OS that was going to OEMs and being put on DVDs, it needed to have the browser ballot in case it was going onto PCs that didn't already have Windows 7.

I don't see that as a sneaky attempt to protect Internet Explorer. Frankly, IE 10 is a solid and performant modern browser that can stand on its own tabs. This omission was a mistake pure and simple. Remember, between malice, malevolence and mistake, William of Occam points us to mark one human error every time. But again, it's the kind of mistake there should be a process in place to prevent — and if necessary, a process in place to check the process.

Compliance and security issues

The combination of the consent decree and the security woes of Windows XP made Microsoft careful about compliance and security issues. I know of major releases of products from software companies Microsoft has acquired that were postponed for months to fix known vulnerabilities because the Microsoft mindset was so security conscious. Now is not the time for that attitude to change.

With Windows 8 and Surface — and Windows Phone 8, Office 2013, Server 2012, Visual Studio 2012 and System Center 2012 SP1 and all the other products getting updated to go with Windows 8 — Microsoft is making a huge bet. This is the moment when the PC can either go on to be a telling part of our computing future or turn out to be a technology whose time is within perhaps five years of ending.

I'm expecting the PC to last, because I want a powerful computer that gives me choices instead of just a simplified and streamlined computing appliance

I'm expecting the PC to last, because I want a powerful computer that gives me choices instead of just a simplified and streamlined computing appliance.

I want to run Photoshop as well as Instagram. I want a word processor with macros and revision-tracking that can cope with 20,000 word documents as well as a tool for writing a quick shopping list. I want to be able to edit videos as well as watching them and I want to do it all on my choice of hardware and format — touchscreen and keyboard, please, preferably with a detachable screen.

But all that choice and power comes with a price, and not just the complexity that has driven plenty of people to an iPad for the times when simple is better. To be open enough to allow everything people want to do, the PC has to be open enough that security will always remain a potential issue because you can't assume a program doing something new is attacking the system. It might just be doing something new and clever that the user actually wants.

Making the power of the PC usable

Security, reliability and performance are key to making the power of the PC usable rather than a liability, and until the Flash update question I've believed Windows 8 has all three.

I'm still prepared to believe that, as long as Flash updates get a real solution, because I'm less worried about this single mistake — dumb as it appears to be at first glance — than the process that let it happen.

Windows 8 is both an improvement in the technology we already use and a shift to a new generation of technology, from ARM chips to touchscreens, to new hardware designs, to a new programming model.

This kind of generational technology update is something RIM has looked dangerously close to fumbling over the past couple of years and getting it right requires not just great technology but great execution as well. Execution, I always say, is something you either do or have done to you.

Microsoft had had a great year so far. Assuming these problems are dealt with in the right way, we can call them relatively minor issues that were sorted out once they were noticed. Everyone makes mistakes. What's important is how they're dealt with, which includes finding out what went wrong and making sure it doesn't happen again, which is what processes are for.

But in such a crucial year, Microsoft doesn't have room to make many mistakes if it's going to move from doing 90 percent of the job well — a target it hits on just about every product but just isn't good enough to compete with products such as the iPad and the entrenched Apple ecosystem — to the kind of surprise and delight that marks a winning release.


UPDATE: Microsoft has now confirmed to ZDNet's Ed Bott that a Flash update for IE10 addressing these vulnerabilities will be available "shortly" and that the goal is to release future Flash updates on a schedule that matches Adobe's releases "as closely as possible" rather than the usual once-a-month IE updates. This is a very welcome change of heart. It remains worrying that the processes for updating a component that you can't uninstall from IE10 were not in place before RTM but it's good to see Microsoft reacting swiftly to these concerns and addressing the issue of future updates.

Topics: Microsoft, Browser, Security, Windows, Web development

Mary Branscombe

About Mary Branscombe

Mary Branscombe is a freelance tech journalist. Mary has been a technology writer for nearly two decades, covering everything from early versions of Windows and Office to the first smartphones, the arrival of the web and most things inbetween.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Is Microsoft forgetting what it knows about security process?

    The answer would be no. They spent months incorporating a security program called the trustworthy computing initiative.
    Loverock Davidson-
    • months?

      No, try years. Trustworthy Computing wasn't fully realized until Windows Vista.
      The one and only, Cylon Centurion
      • Shhh...

        Don't tell him that. Fool.
        Cylon Centurion II
  • heh

    "The Security Design Lifecycle Microsoft uses is recognised as a gold standard for software development."

    If by "gold" you mean "rusted iron." Microsoft's improving in security, but gold they ain't.
    • I Hope You Understand..

      What the Security Design Lifecycle is before commenting on what it "ain't". Microsoft is recognized in the industry for it's software design process that is all about security and preventing vulnerabilities. They even make a lot of their tools publicly available for you to review a lot of known security issues with recommendations on how to avoid the vulnerability, how to mitigate the potential for attack, or at least require acceptance that the vulnerability exists. Perhaps if Adobe or Oracle pick up their methodologies everyone would be more secure.

      You can dispute whether or not the OS is secure, but I would review your knowledge on the design process before knocking their methods.
      • *yawn*

        "Microsoft is recognized in the industry for it's software design process that is all about security and preventing vulnerabilities. "

        That explains why we struggle with security in a lot of software.
        • *yawn*

          "That explains why we struggle with security in a lot of software."

      • "Preventing Vulnerabilities"

        Sorry, but while Microsoft has been getting better, they were NEVER good at this.

        They've had to tack security on as an after thought with both the Windows 9x series (which thankfully ended with ME), and unfortunately even the Windows NT series (Surprise, what we use today). They cannot scrap and redesign it because too much software exists for it, and they can't let down their enterprise customers. So they're having to stick with a more or less flawed design that was NOT designed to prevent vulnerabilities, and they're having to work around the design to plug the gaping holes.

        If anything, they have shown that they are excessively good at plugging holes; probably better than most software development companies. However, designing products with security in mind from the start? Go look up some UNIX-like operating systems. Especially OpenBSD. THOSE are designed to be secure from the ground up, not Microsoft Windows.
  • RE: Panic on the Streets of Redmond (with apoligies to The Smiths)

    Everything about WIN 8 from forgetting to check if "Metro" would cause a copyright issue to the design to the rush rush to force the design on all products to throwing vendors and desktop users under the bus, using Apple Security smacks of a panic driven belief that Apple is superior to them. Yeah Apple threw out flash Microsoft is using the cheap way to force users out of using it or so it seems. Sad and unnecessary time for tech and Windows lifers.
  • Overblown?

    I'm failing to understand your tempest, because I keep seeing a teacup.

    A major Flash update won't be incorporated in the final release. Moments after launch, your OS will pull down the update and apply it. Are you missing the idea that at some point a software company has to sign off on a product, code freeze, and prepare for shipping?

    I realize there will be a lot more digital downloads of this OS, but it still ships as a boxed product in about 6 weeks. They can't keep adding every third-party update and testing it end-to-end right up to the last minute.

    I'm confused about the article in general--we start off with a damning headline, harsh criticism about a security lapse, then a historically-backed praise for the great security practices, then heaping some more praise in a pseudo-review and the author's wish list, to wrap up with a bit more, "But they better do this one thing, too, or else!"
    • Re: Moments after launch, your OS will pull down the update and apply it.

      Why? If the update is already available, why not include it? Windows is already notorious for requiring tons of updates every time you switch it on and just want to use the damn thing, why not make some effort to ease this nuisance?
      • Give Apple Update a try some time!

        Give Apple Update a try some time :-|
    • Thank you!!

      These people think you can just throw new version of components in a product that is already almost out of the door. Keep working at DD where you can just add some sugar at the end.
    • that's what Sustained Engineering is for; testing & shipping updates

      by baking Flash into IE, Microsoft took it from third-party tool users can update to something only Microsoft update but instead of including it properly in an existing process that's in place exactly to deal with post-RTM code Microsoft actually made Flash security worse. It's a small error but as security is all about process, it's a significant error in that process. If Microsoft's security process fails on Flash as its compliance process failed on the browser ballot for SP1, that raises concerns.

      How long after making Windows 8 available through Volume Licencing should Microsoft do the work to make it secure? Because it's been on VL since the beginning of this month...
    • You missed the point

      The point is not to update the DVDs with the shipped product, but to provide software update to Microsoft customers who already took the risk to actually install Windows 8 and are therefore forced to use IE10.

      These computers are already live, on Internet. There is nothing to wait here.
  • A Correction Offered

    Occam's Razor is generally paraphrased as "Among a set of possible explanations, the simplest is the most likely." In confirming what I thought I knew about Father William of Ockham, a British Franciscan Friar logician and theologian who inspired the first articulation of the razor in 1852.

    In confirming what I thought I recalled, I find that Wikipedia describes my paraphrase as a commonly used incorrect one.

    From Wikipedia, "It is a principle urging one to select from among competing hypotheses that which makes the fewest assumptions." As such, it is a guide to selecting which hypothesis one should first address with experimentation and is not a proof or a guide as to the correctness of a hypothesis.

    Robert J. Hanlon is one of a few persons who said something along the lines of "Never attribute to malice that which is adequately explained by stupidity." It was Hanlon who called it Hanlon's Razor.

    As to the real point, I do agree that oversight is a fairly likely explanation, but let me propose DannyO's Mixin: "Sometimes people do stuff to see if any one is watching."
    • Weren't We Talking about the Edit Button Yesterday

      Yes. Yes we were.

      Pardons requested for my incompletely edited post featuring that ugly sentence fragment.
  • As long as this Flash delay is a one-off I'm happy with it.

    As long as this Flash delay is a one-off I'm happy with it. If it becomes regular Microsoft delay Flash (like Apple did with Java) then I'll be considered. That said, I don't use IE except on rare occasion anyway.
  • Huh?

    "Security" and "Microsoft" in the context of what they "know" shouldn't be a very long article. I'm less concerned with what they've "known" and more concerned with that they have "learned." Windows 8, however, will be a huge boon for Windows 7.
    • Huh^2

      I am actually more concerned with what they are doing. Microsoft's record to date concerning security is abysmal, to say the least.

      Promises and at that, promises for which you have to pay... no, thanks.